App Rules - Escaping your slashes

After spending some time writing application rules for detecting Powershell, lateral movement and indicators of compromise for endpoint events I figured there would be a good post about how escaping slashes (\) works in the application world.

It took me a while to wrap my head around it, so this hopefully saves you some time.

This is what an event might look like as meta in NetWitness:

Notice the slashes in the directory field in the event itself

single slash (\)

if you were to drill on that directory meta or copy it out as text it would look like this